…wait I'm sorry, fucking *what*? "back up your authenticator codes to the cloud"?! Isn't it *literally* no longer 2FA then? Like at that point the test the authenticator performs isn't "do you have the physical device" it's "do you have access to the Google account". Why not use a Google password manager and skip the authenticator?!

@mcc I mean... this doesn't _have_ to be insecure. If it's using a hardware key and asymmetric crypto and re-encrypting with multiple keys when you add another hardware device... (sort of how keybase.io worked)